[keycloak-dev] Isn't SSL required a global setting?

Bill Burke bburke at redhat.com
Fri Jan 10 11:59:35 EST 2014 

I don't know.  Maybe some applications will not be able to have HTTPS. 
A realm may want to allow an application to receive auth code redirects 
over an unsecure channel.

On 1/10/2014 11:49 AM, Stian Thorgersen wrote:
> Yer, but does it have to be a per-realm thing? It makes more sense to me that by default all traffic to Keycloak is required to be https, unless you explicitly disable it (for dev).
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Friday, 10 January, 2014 4:32:25 PM
>> Subject: Re: [keycloak-dev] Isn't SSL required a global setting?
>>
>> "Require SSL" is mainly used to force application/oauth redirect URLs to
>> be HTTPS endpoints.  Otherwise, auth codes (not tokens) are transmitted
>> in the clear back to the application.  A nice side-effect is that if the
>> admin forgets to set up web.xml, the token service will barf too :)
>>
>> On 1/10/2014 11:24 AM, Stian Thorgersen wrote:
>>> At the moment we have a SSL required setting per-realm. I was thinking that
>>> it should be a global configuration for a Keycloak server. In production
>>> all requests to a Keycloak server should be over https, while in
>>> development it should be possible to use http for simplicity. That's not a
>>> per-realm thing IMO.
>>>
>>> If it's ok that it's a global config, we can drop it from the realm and
>>> instead add:
>>>
>>> <security-constraint>
>>>       <web-resource-collection>
>>>           <web-resource-name>keycloak</web-resource-name>
>>>           <url-pattern>/*</url-pattern>
>>>       </web-resource-collection>
>>>       <user-data-constraint>
>>>           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>       </user-data-constraint>
>>> </security-constraint>
>>>
>>> To the web.xml in the distribution. In the documentation we should then
>>> have two options, first how to configure SSL on WildFly, second how to
>>> allow HTTP (with a warning that it's only for development!).
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list